## ## Core policy for shells, and generic programs ## in /bin, /sbin, /usr/bin, and /usr/sbin. ## ## ## Contains the base bin and sbin directory types ## which need to be searched for the kernel to ## run init. ## ######################################## ## ## Create a aliased type to generic bin files. ## ## ##

## Create a aliased type to generic bin files. ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## Alias type for bin_t. ## interface(`corecmd_bin_alias',` ifdef(`targeted_policy',` gen_require(` type bin_t; ') typealias bin_t alias $1; ',` errprint(`Warning: $0($1) has no effect in strict policy.'__endline__) ') ') ######################################## ## ## Make the shell an entrypoint for the specified domain. ## ## ## The domain for which the shell is an entrypoint. ## interface(`corecmd_shell_entry_type',` gen_require(` type shell_exec_t; ') domain_entry_file($1,shell_exec_t) ') ######################################## # # corecmd_search_bin(domain) # interface(`corecmd_search_bin',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; ') ######################################## # # corecmd_list_bin(domain) # interface(`corecmd_list_bin',` gen_require(` type bin_t; ') allow $1 bin_t:dir r_dir_perms; ') ######################################## ## ## Get the attributes of files in bin directories. ## ## ## Domain allowed access. ## # interface(`corecmd_getattr_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:file getattr; ') ######################################## ## ## Read files in bin directories. ## ## ## Domain allowed access. ## # interface(`corecmd_read_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:file r_file_perms; ') ######################################## ## ## Read symbolic links in bin directories. ## ## ## Domain allowed access. ## # interface(`corecmd_read_bin_symlinks',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:lnk_file r_file_perms; ') ######################################## ## ## Read pipes in bin directories. ## ## ## Domain allowed access. ## # interface(`corecmd_read_bin_pipes',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:fifo_file r_file_perms; ') ######################################## ## ## Read named sockets in bin directories. ## ## ## Domain allowed access. ## # interface(`corecmd_read_bin_sockets',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:sock_file r_file_perms; ') ######################################## # # corecmd_exec_bin(domain) # interface(`corecmd_exec_bin',` gen_require(` type bin_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; can_exec($1,bin_t) ') ######################################## ## ## Create, read, write, and delete bin files. ## ## ## Domain allowed access. ## # interface(`corecmd_manage_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir rw_dir_perms; allow $1 bin_t:file manage_file_perms; ') ######################################## ## ## Relabel to and from the bin type. ## ## ## Domain allowed access. ## # interface(`corecmd_relabel_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir search_dir_perms; allow $1 bin_t:file { relabelfrom relabelto }; ') ######################################## ## ## Mmap a bin file as executable. ## ## ## Domain allowed access. ## # interface(`corecmd_mmap_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir search_dir_perms; allow $1 bin_t:file { getattr read execute }; ') ######################################## ## ## Execute a file in a bin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ## ## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the userhelper policy. ##

##
## ## Domain allowed access. ## ## ## The type of the new process. ## # interface(`corecmd_bin_spec_domtrans',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:lnk_file { getattr read }; domain_trans($1,bin_t,$2) ') ######################################## ## ## Execute a file in a bin directory ## in the specified domain. ## ## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the ssh-agent policy. ##

##
## ## Domain allowed access. ## ## ## The type of the new process. ## # interface(`corecmd_bin_domtrans',` gen_require(` type bin_t; ') corecmd_bin_spec_domtrans($1,$2) type_transition $1 bin_t:process $2; ') ######################################## # # corecmd_search_sbin(domain) # interface(`corecmd_search_sbin',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search ## sbin directories. ## ## ## Domain to not audit. ## # interface(`corecmd_dontaudit_search_sbin',` gen_require(` type sbin_t; ') dontaudit $1 sbin_t:dir search_dir_perms; ') ######################################## # # corecmd_list_sbin(domain) # interface(`corecmd_list_sbin',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir r_dir_perms; ') ######################################## # # corecmd_getattr_sbin_files(domain) # interface(`corecmd_getattr_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:file getattr; ') ######################################## # # corecmd_dontaudit_getattr_sbin_files(domain) # interface(`corecmd_dontaudit_getattr_sbin_files',` gen_require(` type sbin_t; ') dontaudit $1 sbin_t:file getattr; ') ######################################## ## ## Read files in sbin directories. ## ## ## Domain allowed access. ## # interface(`corecmd_read_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:file r_file_perms; ') ######################################## ## ## Read symbolic links in sbin directories. ## ## ## Domain allowed access. ## # interface(`corecmd_read_sbin_symlinks',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:lnk_file r_file_perms; ') ######################################## ## ## Read named pipes in sbin directories. ## ## ## Domain allowed access. ## # interface(`corecmd_read_sbin_pipes',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:fifo_file r_file_perms; ') ######################################## ## ## Read named sockets in sbin directories. ## ## ## Domain allowed access. ## # interface(`corecmd_read_sbin_sockets',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:sock_file r_file_perms; ') ######################################## # # corecmd_exec_sbin(domain) # interface(`corecmd_exec_sbin',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:lnk_file r_file_perms; can_exec($1,sbin_t) ') ######################################## ## ## Create, read, write, and delete sbin files. ## ## ## Domain allowed access. ## # # cjp: added for prelink interface(`corecmd_manage_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir rw_dir_perms; allow $1 sbin_t:file manage_file_perms; ') ######################################## ## ## Relabel to and from the sbin type. ## ## ## Domain allowed access. ## # # cjp: added for prelink interface(`corecmd_relabel_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search_dir_perms; allow $1 sbin_t:file { relabelfrom relabelto }; ') ######################################## ## ## Mmap a sbin file as executable. ## ## ## Domain allowed access. ## # # cjp: added for prelink interface(`corecmd_mmap_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search_dir_perms; allow $1 sbin_t:file { getattr read execute }; ') ######################################## ## ## Execute a file in a sbin directory ## in the specified domain. ## ## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the ssh-agent policy. ##

##
## ## Domain allowed access. ## ## ## The type of the new process. ## # interface(`corecmd_sbin_domtrans',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:lnk_file { getattr read }; domain_auto_trans($1,sbin_t,$2) ') ######################################## ## ## Execute a file in a sbin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ## ## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the userhelper policy. ##

##
## ## Domain allowed access. ## ## ## The type of the new process. ## # interface(`corecmd_sbin_spec_domtrans',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:lnk_file { getattr read }; domain_trans($1,sbin_t,$2) ') ######################################## ## ## Check if a shell is executable (DAC-wise). ## ## ## Domain allowed access. ## # interface(`corecmd_check_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; allow $1 shell_exec_t:file execute; ') ######################################## # # corecmd_exec_shell(domain) # interface(`corecmd_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; can_exec($1,shell_exec_t) ') ######################################## # # corecmd_exec_ls(domain) # interface(`corecmd_exec_ls',` gen_require(` type bin_t, ls_exec_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; can_exec($1,ls_exec_t) ') ######################################## ## ## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ##

## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## Domain allowed access. ## ## ## The type of the shell process. ## # interface(`corecmd_shell_spec_domtrans',` gen_require(` type bin_t, shell_exec_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; domain_trans($1,shell_exec_t,$2) ') ######################################## ## ## Execute a shell in the specified domain. ## ## ##

## Execute a shell in the specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## Domain allowed access. ## ## ## The type of the shell process. ## # interface(`corecmd_shell_domtrans',` gen_require(` type shell_exec_t; ') corecmd_shell_spec_domtrans($1,$2) type_transition $1 shell_exec_t:process $2; ') ######################################## # # corecmd_exec_chroot(domain) # interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; ') can_exec($1,chroot_exec_t) allow $1 self:capability sys_chroot; ')